I've recently installed open-audit to see how i like it. and noticed that it's not auditing software. or if it is i don't see it anywhere. when i go to a windows device and view everything there's no software listed. maybe i'm just doing it wrong?

this is in include_input_discoveries.php under "Audit via windows" I tried to catch any errors it might be throwing but it's not doing anything. my last log is "Starting windows audit for 10.2.3.82 (System ID 785)" and then nothing else happens. the php script appears to die at this point although I can't figure out why.

4 answers

It turns out that even though I downloaded the windows installer directly from open-audit, it didn't include the paexec file in c:\xampplite\open-audit\other after downloading the application from https://www.poweradmin.com/paexec/ it started actually doing the audits. the logs however never said it was missing the application or anything it just stopped producing logs.

Sorry i've been MIA for a week i've been working on another project. but back to this issue. i have credentials implemented i can't really confirm they're working since nothing pops up on the remote machine. i'm getting this though on every machine when i click discover. if i run it manually by hitting "audit my pc" it shows the real ip and such. maybe this is related?
windows 127.0.0.1 2018-02-06 12:41:03

Hi,
Can you run an audit within the Open-Audit GUI? If you can try and do it that way. After the audit is complete you can go to Menu -> Discover -> Discoveries -> List discoveries, from here click the blue details icon next to the discovery you created and ran. If you scroll to the bottom of this screen you will see three tabs (Found devices, All IPs, Debug) Click on the debug tab and it will tell you if your credentials are being accepted or not as well as other helpful debug information.
I suggest making sure Open-Audit is installed and set up correctly by following this getting started guide HERE: https://community.opmantek.com/display/OA/Getting+Started
Regards,
Paul M.

I have run multiple discoveries (over and over) trying to get this figured out. at the bottom of the page you describe there is not 3 tabs, however in the list I can find a bunch of these.
45352 2018-02-07 08:13:43 include_input_discoveries discoveries Starting windows audit for 10.5.1.45 (System ID 738) 4.904123
45353 2018-02-07 08:13:43 input discoveries Windows audit is running as LocalSystem, not ideal for 10.5.1.45 (System ID 738) 4.904123
45354 2018-02-07 08:13:43 input discoveries Attempt to delete audit script scripts\audit_windows_18_02_07_14_13_43.vbs succeeded 4.904123
I looked at that script on my server and edited the struser and strpass because they didn't appear to exist. i'm not sure if that will solve the problem or not but i'm going to try.

Hi,
You may be on an older version if you did not see those tabs. That information you gave is some of what the debug log provides anyways. Seeing that the audit is running as LocalSystem makes me think that it could be a credential or firewall issue.
Read through windows sections on this page: https://community.opmantek.com/display/OA/Target+Client+Configuration
It should help you figure out why the discovery isn't fully completing.
Best,
Paul M.

I've went through all of that documentation, that's why I came here.
46092 2018-02-07 08:46:04 wmi_helper wmi_command Attempting to execute command 0.870816 success
Microsoft Windows 10 Pro|C:\WINDOWS|\Device\Harddisk0\Partition4
%comspec% /c start /b wmic /Node:"10.7.1.120" /user:"domain\username" /password:"*********" os get name
these commands are showing success and returning the data which tells me the passwords are working. there's no firewall in between these devices only to the outside world so that shouldn't be an issue either.
my about says "You are running version 2.0.11 of Open-AudIT."
I realize there's a 2.1 which was just released but i'm sure that's probably not the issue.
if I go to a windows machine in devices and look and the audit log it's showing this
windows 127.0.0.1 2018-02-07 08:11:34
which I think is weird. why does it say the IP is 127.0.0.1? there's no debug info and no username listed. I want to say it's a credentials issue but one part of the script was obviously able to use them just fine.

so I went and ran the command that's showing in the discovery I want to run, although it puts a log that says it attempted to run the audit_windows_whatever script I don't see anywhere in the code of discover_subnet that tells it to target that script. am I missing something?

Have you done your first network scan or scan of a single device? If not our Wiki has a lot of great resources to help you out. A good resource to help you get started: Getting Started

When you see that your machine or network has successfully been audited the software installed will be listed under the device details. Go to Menu -> Manage -> Devices -> List Devices. From here click the blue details icon on the left of the screen to view more information about that device. On this screen you should see a summary box on the left hand side with other menu options attached to the bottom (Hardware, Software, Settings). Click the Software tab and then click the software link inside of it. This is where it will show you a list of installed software for that device.